The privacy bomb and cost of personal data debt
I often hear architects talk about technical debt but it strikes me that a different debt is waiting for insurers.
Imagine a world where the regulator says that a customer owns data about the customer, regardless of where it is stored. The key observation here is the decoupling of ownership and control with storage. Most regulators have gone nearly this far and made statements about consumer ownership of consumer data, so perhaps it's not out of step with reality. This is discussion so far but perhaps the technology hasn't caught up with the intent. If we ignore the limits of technology ...
There are perhaps 3 models emerging:
- A. The data remains where it is and is controlled from there. Requires APIs...
- B. The data moves as customer moves. Requires data standards...
- C. Customer data is held in a shared environment. Requires APIs and data standards
Let's take a moment to really think that through for an insurer. If you hold data about a customer in your systems, that data is owned by another party. Ownership here is a complex word - it implies but is not limited to controlling access to the data, determining appropriate use of the data, revoking access to the data, determining how long that data is kept.
Scenario A
What if the storers are obliged to provide these controls to the owner of the data and actually - what if that obligation exists regardless of whether that owner is a customer?
Such a scenario may make it prohibitive for insurers to capture and store data directly. What would the world look like in such a scenario? Insurers would request access to customers data and have to disclose why they want the data, what they will do with it and perhaps the algorithms used in order to offer products. Such a world might favour insurers with simpler pricing algorithms that are more expensive but customers understand what is being done with the data.
If we take it a step further, in theory there would be intermediaries emerge who help manage consumer data and help consumers simply share their data with trusted partners. I would suggest most people would not dig into the detail of who is sharing what so a service that says, "we've found these 15 services that only use the data in these ways and we've packaged that up for you" would be most welcome.
If however, we take existing businesses into this world then suddenly enterprises will be faced with the issue of how do they offer appropriate controls and management around the data already in place.
The standard already exists for sharing information in this way leveraging OAUTH as is used by Twitter, LinkedIn, Google and Facebook.
Scenario B
The cost for doing migration and conversion will lie with the party holding the data. A different type of debt.
This is the model the insurance industry is assuming will come to pass but it requires shared data standards which are harder to implement than API standards. There is also the issue of potentially lossy data migrations - I.e. The quality of the data is reduced in the migration - will this be 'OK' from a regulatory point of view?
Further this is more confusing for a consumer since the mechanism and means to manage access to the data will change each time there is a move. An approach intended to increase portability and movement could become an inhibitor as consumers grow concerned about retraining.
In theory though, this would allow insurers to differentiate on trust and service - a place where they already play.
Scenario C
The greatest challenge with a shared environment is who is the trusted party? Google, Twitter, Facebook and LinkedIn among others have made moves into authentication but they don't hold all the data and regulators in multiple countries are seeking to grasp control and this is a topic for Insurtech startups as well.
Some see Blockchain as a possible solution - the data in a shared open place, but secured and encrypted.
At this point this seems like the least likely solution, requiring the greatest cooperation and investment from the industry and governments. Regulators at this point seem to be supporting the other two.
Which will come to pass
There is a clear trend with private data becoming more valuable, but the cost of storing it is becoming more onerous. Regardless of which of the scenarios comes to pass or if some other scheme emerges - insurers must balance the cost of storing the data and the value it may bring now and in the future.